HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-39910Published Modified CNA VulnCheck

CVE-2026-39910: STACKIT IaaS API Privilege Escalation via Service Account Attachment

STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
2026-05-28
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Missing authorization check in the STACKIT IaaS API allows a network-accessible attacker with no privileges to attach arbitrary service accounts to virtual machines they control, then retrieve high-privileged OAuth2 tokens via the Instance Metadata Service. Successful exploitation grants full organization-level access, crossing tenant boundaries and enabling unauthorized control over all resources in the affected environment. A patched-image rebuild at version 2026-05-28 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-39910 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or depend on the STACKIT IaaS API. Any image carrying a version older than 2026-05-28 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.3 (Critical) and surfaces it at the top of each affected environment's finding queue, weighted further by any per-environment compliance policies that treat privilege-escalation or cross-tenant risks as elevated priorities. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at version 2026-05-28 becomes available through HarborGuard once the upstream fix is confirmed present in the base image. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable API endpoint is exposed over the network, so the attacker must be able to reach the STACKIT IaaS API service across a network connection.

  • AuthenticationNot required

    No authentication is required; the CVSS vector specifies PR:N, meaning any unauthenticated network client can invoke the vulnerable endpoint (the description notes low-privileged context is sufficient, and the vector confirms no credential barrier).

  • Victim interactionNot required

    No victim interaction is needed; the attacker exercises the vulnerable endpoint directly without any user action.

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and imposes no race-condition or environmental precondition on the attacker.

Blast Radius

  • Attacker retrieves valid high-privileged OAuth2 tokens from the Instance Metadata Service, gaining authenticated access to the full STACKIT organization.
  • Attacker reads sensitive data across all projects and tenants in the organization, including stored credentials, configuration, and customer records.
  • Attacker modifies or deletes virtual machines, service accounts, and other infrastructure resources across tenant boundaries.
  • Attacker disrupts availability of running workloads throughout the organization by terminating or reconfiguring compute resources.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-39910 is active the moment the advisory is ingested, and any image carrying a STACKIT IaaS API version older than 2026-05-28 is flagged Critical in the finding queue. A rebuilt image at the 2026-05-28 fix version is available for affected environments. Where compliance policy permits auto-remediation, HarborGuard performs the patched rebuild, executes a regression run, and opens a pull request against affected workloads; for Critical-severity issues, the median time from publication to merged patch PR is approximately 90 minutes. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with patch-version details so teams can act manually. As a compensating control until the patch is applied, customers should enforce network policy to restrict which principals can reach the PUT servers service-accounts endpoint and apply egress filtering on Instance Metadata Service access to reduce token-retrieval exposure.

See how HarborGuard automates this

Fix available

2026-05-28
Affected packages
  • STACKIT / IaaS API
    < 2026-05-28 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References